Facing problem while reproducing the crash

[SATHYA NARAYANA]

Hi Team,

I have setup the syz-fuzzer as per the documentation and observed few crashes related with "use-after-free" in code.

I am trying to reproduce same by using syz-repro utility and executing following steps.

1. Creating the VM by using virt-run

2. Executing the following command inside the VM

./syz-repro -config=test.cfg workdir/crashes/log9

Error message observing:

2022/10/11 18:33:37 reproducing crash 'kernel BUG ': failed to init instance: failed to create VM: failed to read from qemu: EOF
qemu-system-x86_64: -hda stretch.img: Could not get temporary filename: Read-only file system

Config file:

{
        "target": "linux/amd64",
        "http": "127.0.0.1:56741",
        "workdir": "/home/test/syzkaller/workdir",
        "kernel_obj": "/home/test/syzkaller/kernel",
        "image": "/home/test/syzkaller/stretch.img",
        "sshkey": "/home/test/syzkaller/stretch.id_rsa",
        "syzkaller": "/home/test/p4tc_new/syzkaller_0920",
        "enable_syscalls": ["sendmsg$nl_route_sched","socket$nl_route"],
        "procs": 4,
        "type": "qemu",
        "vm": {
                "count": 1,
                "cpu": 1,
                "mem": 2048,
                "kernel": "/home/test/kernel/arch/x86/boot/bzImage"
        }
}

Is this the right way to reproduce?

Can you please provide some info on what might be missing?

Thanks & Regards,

Sathya.

[Dmitry Vyukov]

Hi Sathya,

It seems there is something wrong with your qemu or image.
You can run syz-repro with -debug flag. It will print the qemu command
line it uses. And then use the command line to debug what's wrong with
qemu/image and how to make it work.

[SATHYA NARAYANA]

Thank you for response.

QEMU command syz-repro is generating

qemu-system-x86_64 -m 32768 -smp 1 -chardev socket,id=SOCKSYZ1,server=on,wait=off,host=localhost,port=18936 -mon chardev=SOCKSYZ1,mode=control -display none -serial stdio -no-reboot -name "VMTEST-0" -device virtio-rng-pci -enable-kvm -cpu host,migratable=off -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp:127.0.0.1:62197-:22000 -hda /home/user/test//rootfs.new.img -snapshot -kernel /home/user/bzImage -append root=/dev/sda

 But somehow, ssh into the VM looks failing.

Error message:

OpenSSH_8.4p1 Ubuntu-5ubuntu1.2, OpenSSL 1.1.1j 16 Feb 2021
debug1: Reading configuration data /dev/null
debug1: Connecting to localhost [127.0.0.1] port 62197.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/ped07/.ssh/id_rsa type -1
…
debug1: identity file /home/ped07/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Ubuntu-5ubuntu1.2
Connection timed out during banner exchange
Connection to 127.0.0.1 port 62197 timed out

Captured PCAP and my analysis is below. Attached same.

1. ssh is sending the tcp syn packet, to qemu with correct port number. (62197)
2. Looks like, linux stack only sending the syc-ack
3. Host is responding with ack, and connection established successfully.
4. Host sending the length of 41 bytes. (Probably banner)
5. Observing the ack also and expecting for 42nd byte.

Now, the ssh is hung state.

1. After 10sec, ssh initiated the connection closure. 

I was going through ssh source code and observed that, if QEMU does not responds, ssh dump that error message

Thanks & Regards,

Sathya.

[SATHYA NARAYANA]

Looks like this behavior is system specific and nothing related to reproduction.

Thanks a lot for the support.

We can close this thread.

[Pawel Rybalkiewicz]

Hi Sathya, Hi all, forgive me for this direct approach but ...
looks like I've exactly the same problem ...
I'm able to run vm and login in to it with ssh-key, but if I run syz-manager or syz-crush, problem appear, logs:

..........
debug1: Connection established.
debug1: identity file /home/user1/.ssh/id_rsa type -1
…

Connection timed out during banner exchange

Connection to 127.0.0.1 port 62191 timed out
..........


Because of this I've got a question to you, were you able to fix this problem ... if yes how ?
- by changing OS version ? (i.e. from ubuntu to fedora) ?
- by recompiling user-space or kernel in some specific way ?
- by changing ssh source-code ?
- any other way to solve that ?

Hope you will wind a moment to comment this.
Thank you

[maksim lev]

I'm going through the same "Connection timed out during banner exchange" issue. I tired multiple stuff like timeout, played with the init file that gets created by syzkaller, tried to change different settings in qemu.go file. Nothing works so far.
If anyone can help I would apprecaite it.